NTT Secure Platform Laboratories Yuma Kurogome Youth Keynote, 51th Young Researchers and Engineers Group for Information Science #wakate2018 2018/10/07
Research Engineer @ NTT Secure Platform Laboratories About Me * Named after Microsoft Windows NT Driver Development Kit Working on endpoint security field. I’ve started to learn mountaineering & climbing influenced by Encouragement of Climb (ヤマノススメ) & The Summit of the Gods (神々の山嶺). 2018/09/17 – 2018/09/19 Grandes Jorasses, Via Normale, AD IV. Unfortunately, we couldn’t reach the mountain peak due to the large randkluft.
Is … This Presentation Is Not … • A brief introduction of obfuscation techniques • About best practices on deobfuscation as far as I know • A comprehensive survey • About other technical protections • About techniques not for software protection e.g. IOCCC Expected Outcome After this talk, you’ll be able to • have better understanding of the theory, practice the underlying thinking of deobfuscation • get along well with your boss when he said, “Can you read assembly language? Then, please analyze this obfuscated malware used for targeted attack, from tomorrow.” Obfuscation 難読化 ↕ Deobfuscation 難読化解除? 非難読化? 易読化? ɑ̀ bfəskéɪʃən Protection against end-users (Man-At-The-End attackers) Legal protection Technical protection Obfuscation Encryption Server-side execution Trusted native code Collberg et al. A Taxonomy of Obfuscating Transformations. 1997. https://researchspace.auckland.ac.nz/handle/2292/3491
Obfuscate ’ Obfuscation is a transformation from program to functionally equivalent program ′ which is harder to extract information than from . Abstraction Source code IR Binary machine code Unit Instruction Basic block Loop Function Program System Dynamics Static Dynamic Target Constants Variables Code logic Code abstraction
Representation Binary Machine Code Source Code Preprocessor Macro __forceinline Keyword constexpr Optimization Pass Binary Rewriting Abstraction Built-in compiler optimization can be used for both obfuscation & deobfuscation. Especially loop optimization tends to change code logic. mov esi, esi xchg cx, cx mov edx, 0x1 dec edx According to the comprehensive survey by Banescu, there are 31 type of obfuscation transformations. Known Techniques • Opaque Predicates • Mixed Boolean-Arithmetic • Virtualization Obfuscation • Control Flow Flattening Instead, we discuss 4 interesting obfuscation transformations and countermeasures. Banescu. A Tutorial on Software Obfuscation. 2017. https://mediatum.ub.tum.de/doc/1367533/1367533.pdf Here, we do not care about straightforward transformations: Because we can get rid of them by optimization.
classified as true predicate, false predicate or dynamic opaque predicates, etc. according to the type of branch, but the key idea is the same – effective use of deterministic operation. For example, in Windows, GetCurrentProcess() always returns constant pseudo-handle. Opaque Predicates Deterministic Operation call GetCurrentProcess cmp eax, 0xfffffff je always_taken __always_taken: … __never_taken: … ✔ Collatz Conjecture = ቐ 2 %2 = 0 3 + 1 %2 = 1 1 Wang et al. Linear Obfuscation to Combat Symbolic Execution. ESORICS, 2011. https://dl.acm.org/citation.cfm?id=2041241
Virtual Machine Have you ever implemented interpreter or emulator? Virtualization obfuscation is something like that. VM Entry Fetch Decode Execute handler_push handler_pop handler_add handler_xor … The bytecode does not depend on the ISA of the host machine. reg_0 reg_1 … reg_ip reg_sp A1 00 05 B8 … env->regs[R_ECX] = (ctrl & (1 << 6)) ? 31 - clz32(res) : ctz32(res); Defining complex instructions from existing semantics – like SIMD instructions. For example, pcmpestri instruction uses and, shift, decrement and branching. Below is the QEMU code (target/i386/ops_sse.h).
Duplication Direct Threaded Code handler_push handler_pop handler_add handler_xor … handler_push handler_pop handler_pop’ handler_add handler_push’ handler_push’’ handler_xor … Instruction handlers of different syntax are generated and assigned randomly. It is originally a technique for performance optimization used in cpython (Python/ceval.c), ruby (vm_*) and modern script engines. case handler_push: stack[reg_sp++] = reg_01; break; case handler_push: stack[reg_sp++] = reg_01; goto *bytecode[++reg_ip].insn.addr; Jump to the next handler address Return to the virtual CPU
Unnecessarily Jump Table int original() { printf("Hello, "); printf("world!¥n"); return 0; } int obfuscated() { int next = 0; while(1){ switch(next){ case 0: printf("Hello, "); next = 1; break; case 1: printf("world!¥n"); return 0; } } } This is a method to putting each basic block as a case of a switch statement. A pseudo-counter is incremented in an infinite loop. Wang. A Security Architecture for Survivability Mechanisms. PhD thesis, 2000. https://www.cs.virginia.edu/~jck/publications/wangthesis.pdf
Tools • Virtualize • Jit • JitDynamic • Flatten • Merge • Split • RegArgs • AddOpaque • EncodeLiterals • EncodeData • EncodeArithmetic • InitOpaque, UpdateOpaque • InitEntrypy, UpdateEntropy What is the strongest obfuscation can be supposed? – Indistinguishablity obfuscation (functional encryption). But impractical still. If applied, two semantically equivalent programs become cannot be distinguished. There are some commercial obfuscator e.g. VMProtect, Themida and Epona. As an academic project, Tigress and obfuscator-llvm are well-known. • InitImplicitFlow • AntiBranchAnalysis, InitBranchFuns • EncodeExternal, InitEncodeExternal • AntiAliasAnalysis • AntiTaintAnalysis • Ident • CleanUp • Info • Measure • Copy • RandomFuns • Leak Transformations implemented in the Tigress are: http://tigress.cs.arizona.edu/
is the strongest obfuscation can be supposed? – Indistinguishablity obfuscation (functional encryption). But impractical still. If applied, two semantically equivalent programs become cannot be distinguished. There are some commercial obfuscator e.g. VMProtect, Themida and Epona. As an academic project, Tigress and obfuscator-llvm are well-known. http://tigress.cs.arizona.edu/ Ready-to-use Tools
Program Analysis De Facto Standard SMT Solver Intermediate Representation Symbolic Execution Program Synthesis Yices2 Z3 CVC4 BAP Syntia etc. Also, recent researches come to the rescue. After brief description, let’s proceed the demo. In the context of malware analysis, it is common to use the scripting functions of IDA Pro. IDAPython Loader Processor Module from idc import * from idaapi import * from keystone import * import struct CODE = b’mov esi, esi;’ CODE += b’xchg cx, cx;’ CODE += b’mov edx, 0x1;’ CODE += b’dec edx;’ ks = Ks(KS_ARCH_X86, KS_MODE_32) encoding, _ = ks.asm(CODE) CODE = b’’ for opcode in encoding: CODE += struct.pack(‘<B’, opcode) text = GetManyBytes(start, offset) pos = text.find(dead_code) while pos != -1: for i in range(len(dead_code)): Patch_Byte(start + pos + i, 0x90) … You can search and remove simple obfuscation with IDAPython. Microcode API
In principle, CDCL is a depth-first search of a binary search tree with following rules: • Unit propagate • Deduce • Fail • Backtrack • Learn conflict clause And there are more heuristics: • VSIDS • Restart strategy … devision_level = 0 if unit_propagate() is CONFLICT: return UNSAT while not all_variables_assigned(): decide_next_branch() devision_level += 1 if unit_propagate() is CONFLICT: b_level = conflict_analysis() if b_level < 0: return UNSAT else: backtrack(b_level) decision_level = b_level return SAT If you are interested in algorithm of SAT/SMT solver, refer the book Handbook of Satisfiability.
Representation Binary Machine Code Source Code Intermediate Representation SSA Form Assembly Code SAT Problem CNF Form SMT Problem SAT Solution SMT Solution CNF Solution The thing is, IR is not only for compiler optimization. Long Journey Then, how to translate binary machine code into a BitVector formula?
Operational Semantics SIMPL from Schwartz et al. Schwartz et al. All You Ever Wanted to Know About Dynamic Taint Analysis. IEEE S&P, 2010. https://dl.acm.org/citation.cfm?id=1849981 …
Analysis SSA Form A method to dynamically track data dependencies between source and sink. Defining Good IR is Hard Kim et al. Testing Intermediate Representations for Binary Analysis. ASE, 2017. https://softsec-kaist.github.io/MeanDiff/ • Flag registers • Memory model • FP • SIMD See IR comparison by Kim et al. … reg_01 = 5 reg_02 = reg_01 – 3 reg_01 = reg_01 * 2 reg_011 = 5 reg_021 = reg_011 – 3 reg_012 = reg_011 * 3 BitVector
. Input Generation 1. Treats input value as a symbolic value 2. Constrain branch conditions for each execution path 3. Get concrete input value through the SMT solver. Looks good, but the performance of SMT solver varies greatly depends on how much concretize variables to be used (concolic testing), how to handle loops and recursion and how to constrain path condition, etc. Also, accurately implementing symbolic execution is difficult; See the bug collection by Xu et al. Xu et al. Concolic Execution on Small-Size Binary Codes: Challenges and Empirical Study. DSN, 2017. https://github.com/hxuhack/logic_bombs int test(int x, int y, int z) { if (x > y) x = x - y; if (x < 2018) z = x + y; y = 0; ... } x > y x = x - y y = 0 x < 2018 z = x + y y = 0 x < 2018 z = x - y y = 0 y = 0 > ∧ < 2018 > ∧ > 2018 ≦ ∧ < 2018 ≦ ∧ > 2018 ✔ ✔ ✔ ✗ ✗ ✗
more information, refer the book Program Synthesis. https://rishabhmit.bitbucket.io/papers/program_synthesis_ now.pdf CEGIS Counterexample-guided inductive synthesis Synthesizer Verifier def synthesizer(inputs): (1 … ) = inputs query = ∃. (1 , ) ∧ . . .∧ ( , ) result, model = decide(query) if result is SAT: return model else: return UNSAT def verifier(P): query = ∃. ¬(, ) result, model = decide(query) if result is SAT: return model else: return valid def refinement_loop(): inputs = φ while True: candidate = synthesizer(inputs) if candidate is UNSAT: return UNSAT result = verifier(candidate) if result is valid: return candidate else: inputs.append(res) inputs Candidate program Counterexample search space; IR fragments ✔ ✗ Symbolic Execution
et al. Oracle-Guided Component-Based Program Synthesis. ICSE, 2010. https://dl.acm.org/citation.cfm?id=1806833 Blazytko et al. Syntia: Synthesizing the Semantics of Obfuscated Code. USENIX Security, 2017. https://www.usenix.org/conference/usenixsecurity17/technical- sessions/presentation/blazytko Stochastic Search Since the SMT solver is time- and resource-consuming, there are methods for heuristically evaluating the combination of IR fragments instead of solving the SMT problem: • Metropolis-Hastings • Monte Carlo Tree Search (MCTS) • Bayesian Net etc. Mostly program synthesis has been studied in the PL field, but recently it has become a hot topic in the ML field e.g. NIPS, ICLR and ICML – especially about neural program synthesis. There is a case that the method using CEGIS and MCTS was used in deobfuscation. Assign evaluation values to each node of the tree i.e. operation, and optimize the combination.
Way of Thinking Ready-to-use Technique How can we know if a path will always be executed? • Dynamic analysis – is not the best choice. How many times will you re-run obfuscated code? • As you already know, symbolic execution is a better way. def opaque_predicate_detection(pc): … instruction.setAddress(pc) … if instruction.isBranch(): # Opaque Predicate AST op_ast = Triton.getPathConstraintsAst() # Try another model model = Triton.getModel(astCtxt.lnot(op_ast)) if model: print "not an opaque predicate" else: if instruction.isConditionTaken(): print "opaque predicate: always taken" else: print "opaque predicate: never taken“ … ea = ScreenEA() opaque_predicate_detection(ea) With , you can detect opaque predicate (modified from src/examples/python/proving_opaque_predicat es.py). https://github.com/JonathanSalwan/Triton/
Way of Thinking Ready-to-use Technique How can we know if a path will always be executed? • Dynamic analysis – is not the best choice. How many times will you re-run obfuscated code? • As you already know, symbolic execution is a better way. With and , you can detect opaque predicate and also call stack tampering (p.11) from GUI: I am glad to inform you that opaque predicate detection core is written in OCaml (binsec/src/backwards/opaque.ml). https://github.com/binsec/binsec https://github.com/RobinDavid/idasec APT28 X-Tunnel, 99b45…
Way of Thinking from arybo.lib import MBA def f(x): v0 = x*0xe5 + 0xF7 … (See p.13) mba = MBA(8) x = mba.var('x') ret = f(x) app = ret.vectorial_decomp([x]) print(app) print(hex(app.cst().get_int_be())) https://github.com/quarkslab/arybo Ready-to-use Technique Syntax is different from original code, but they are semantically-equivalent. Your call: • Execute an instruction sequence divided into chunks by dynamic analysis, and compare result with simple operations – straightforward solution • Construct AST via IR and make use of term rewriting • Generate a simple instruction sequence equivalent to MBA through program synthesis Arybo constructs AST from given equations and simplify it with the aid of pattern matching and bit-blasting. You can replace f(x) with an IR chunk seems to be MBA and simplify it. Arybo officially supports integration with . Also, Z3 has own term simplifier so you can use simplify().
Way of Thinking Hints: • First, we need to identify where is the VM Entry. The standard move is to pay attention to top of jump table and VM management structure. However, there is a possibility that jump table has been erased by direct threaded code • Let's look for a process to update the virtual instruction pointer • Imagine syntax and semantics. Arithmetic and logical operators take arguments and write the return value to the virtual register in the (almost) same way VM Entry Fetch Decode Execute handler_push handler_pop handler_add handler_xor … reg_0 reg_1 … reg_ip reg_sp A1 00 05 B8 …
Technique • VMHunt, a tool to detect location of virtualized code will be released soon. • Syntia, a program synthesis-based library to simplify virtualized code and MBA is publically available. • Recently, Jonathan Salwan who is the author of have also published research results combining various methods – which is able to defeat Tigress. Xu et al. VMHunt: A Verifiable Approach to Partially-Virtualized Binary Code Simplification. ACM CCS, 2018. https://github.com/s3team/VMHunt (empty repository for now) Blazytko et al. Syntia: Synthesizing the Semantics of Obfuscated Code. USENIX Security, 2017. https://github.com/RUB-SysSec/syntia Salwan et al. Symbolic Deobfuscation: From Virtualized Code to Back to The Original. DIMVA, 2018. http://shell-storm.org/talks/DIMVA2018-deobfuscation-salwan-bardin-potet.pdf Processor Module reg_names = [ # General purpose registers “reg_0", “reg_1", ... ] instruc = [ {'name': 'push', 'feature': CF_USE1}, # 0 {'name': 'pop', 'feature': CF_CHG1}, # 1 … ]
The Way of Thinking int next = 0; while(1){ switch(next){ case 0: … next = 1; break; case 1: … Ready-to-use Technique It is necessary to combine the methods introduced so far. Hints: • First, take a look at branching condition of jump table • Typically, an unconditional branch or a relatively simple path constraint determines the next block • There is no guarantee that there will always be infinite loops. For example, it is possible that the number of times of execution is determined for each block • Remember taint analysis and compiler optimization. Yadegari et al. A Generic Approach to Automatic Deobfuscation of Executable Code. IEEE S&P, 2015. https://ieeexplore.ieee.org/document/7163054 Let's make your own tools. Reproduction of Yadegari et al. will be a milestone:
Representative Obfuscation Opaque Predicates Mixed Boolean- Arithmetic Virtualization Obfuscation Control Flow Flattening Deobfuscation SMT-based Program Analysis Both are important: • Gaining the experiences in the field • Learning the principles of computer science
keras import … import cv2 model = load_model(model_path) cap = cv2.VideoCapture(DEVICE_ID) while True: ret, frame = cap.read() test = prepare_image(frame) probas = model.predict(test) if probas.argmax(axis=-1) is target: decode_and_drop_malware() break A tutorial level face recognition becomes evil. In this year, the technique called DeepLocker was proposed. DeepLocker uses DNN-based personal authentication for target identification of target attacks, and at the same time embeds the variables of the code in the weight of the DNN. Therefore, Analyzing DNN or other ML models will become important. Machine Learning SMT-based Program Analysis Analysis of JIT-based obfuscation (advanced version of virtualization obfuscation) and analysis of obfuscated data flow called implicit flow is open problem. Also, studies on obfuscation transformation robust to symbolic execution are beginning; virtualization and flattening reduce the speed of symbolic execution. Banescu et al. Predicting the Resilience of Obfuscated Code Against Symbolic Execution Attacks via Machine Learning. USENIX Security, 2017.https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-banescu.pdf Kirat et al. DeepLocker - Concealing Targeted Attacks with AI Locksmithing. Black Hat USA, 2018. https://i.blackhat.com/us-18/Thu-August-9/us-18-Kirat-DeepLocker-Concealing-Targeted-Attacks- with-AI-Locksmithing.pdf
• The IDA Pro Book, 2nd Edition • Möbius Strip Reverse Engineering http://www.msreverseengineering.com/ • Diary of a reverse-engineer https://doar-e.github.io/ • SAT/SMT by example https://yurichev.com/writings/SAT_SMT_by_example.pdf • The academic papers written by notable researchers: Babak Yadegari, Christian Collberg, Dongpeng Xu, Hui Xu, Jiang Ming, Jonathan Salwan, Kevin Patrick Coogan, Matias Madou, Matthias Jacob, Monirul Sharif, Mila Dalla Preda, Robin David, Rolf Rolles, Saumya Debray, Sebastien Banescu and Xabier Ugarte- Pedrero • If you are interested in real world obfuscated malware, Nymaim is a good starting point Further Readings
ntddk
sankaku0724
0x1shu
smartfukushilab1
beomi
kentaitakura
de9uch1
taoxiaomark
shunk031
o_ob
waka_90b
fta98
trafficbrain
colly
62gerente
jeffersonlam
sergeychernyshev
yeseniaperezcruz
gr2m
eileencodes
pauljervisheath
addyosmani
akosma
geoffreycrofte
brad_frost
![15 Copyright©2018 NTT corp. All Rights Reserved. [] = ,∧,∨,⊕,](https://files.speakerdeck.com/presentations/d581afa782624a629964475fd0e0aa98/slide_14.jpg){kind=link}
